Pages

Sunday, 7 August 2011

Backtrack 5 and Windows Dual Boot with Full Disk Encryption

This post will explain how to setup your computer in order to dual boot Backtrack 5 and Windows. The difficulty is to have both operating systems fully encrypted. This guide will be focused on Backtrack 5 (Gnome desktop) and Windows 7. It should be straightforward to follow this guide using a different version of Windows. If you want to install a different Linux distribution the instructions can differ significantly.

Truecrypt will be used to encrypt the Windows installation and dm-crypt using LUKS to encrypt Backtrack. The requirements to follow this guide are having the Windows and Backtrack installation CD ready to use.

To clarify an important point: I use full disk encryption to protect my data in the event my laptop may be lost or stolen. It will not protect you in case an adversary forces you to reveal your password. For such situtions you can use deniable encryption which is also provided by truecrypt.

Preparation

Format

Before we begin the installation we will perform an anti-forensic format of the complete hard drive. This is a fancy way of saying that we will use a tool to overwrite the complete hard disk with random data. It's needed because simply deleting all your files won't actually delete them. Instead they will be simply marked as deleted and may be overwritten with new data in the future. So an attacker might still be able to retrieve your supposedly deleted files.

Another problem is that it might be possible to retrieve your old data even if it has been overwritten with new data. This can for example be done with a technique such as magnetic force microscopy. To defend against these kinds of attacks we will overwrite the complete hard drive data several times with random data.

Because securely formatting the hard drive was not my main goal I personally used the tool shred. It's available in the backtrack live CD and can be started with "shred /dev/sda". Another tool you can use is DBAN, which is a live CD allowing you to securely wipe an entire hard disk.

Partitioning

Because the partition manager that is available during the installation of Backtrack is limited in functionality we will use gparted to partition the hard disk. So start the Backtrack live CD, open a terminal and type "apt-get install gparted" to install it. Then start it be executing "gparted".

Click on Device -> Create Partition Table. The default is to create an MS DOS partition and this is what we need, so click on Apply. Now we can create the partitions. At minimum you will need the following partitions:

One partition that will contain Windows. During the installation we will first use this space to install an unencrypted Backtrack system. Afterwards we will install Windows on it. Hence this partition must first be formatted as an ext4 partition and in the future we will format it to NTFS for windows.

One ext4 partition that will contain the (unencrypted) files necessary to boot the encrypted backtrack installation. Hence a 370 MB ext4 partition will suffice.

Preferably, but not strictly necessary, one Linux swap partition. The ideal size depends on how much RAM you have. Since I have 4 GB ram around 800 MB swap space should suffice.

One ext4 partition that will contain the encrypted Backtrack installation. For this I have chosen for a 20 GB ext4 partition.

As mentioned we will first install Backtrack on the partition that will eventually contain Windows. This is done because we can't directly install Backtrack on an encrypted partition. Therefore we will first install it to an unencrypted partition and then copy all the files to the encrypted partition. Once that is done we will format the Windows partition to NTFS and install Windows on it.

Depending on the size of your hard disk and preferences you can customize the number and sizes of the partitions. Anyway, I will now detail how to create these basics partitions. First select the unallocated space and click on Partition -> New. Fill in the options as shown below (the partitions sizes may differ for you).

Create an extended partition for the remaining unallocated space. Now continue by creating the other partitions to your liking. I ended up with the following table which you can also use if you want (again, sizes may differ).

Click on Edit -> Apply All Operations to write the changes to disk. Close gparted. In the remaining of this guide I will use the device names as shown in the previous image. That is, the device names correspond to the partitions as follows:

/dev/sda1: Windows partition (temporarily used to first install Backtrack)

/dev/sda5: Unencrypted boot partition

/dev/sda6: Swap partition for Backtrack

/dev/sda7: Encrypted Backtrack partition

If you use a different partition scheme be sure the use the correct device names in the commands listed throughout this guide.

Installing Backtrack 5

Start the graphical installer of Backtrack 5 and fill in the correct information until you get to "Prepare disk space" where you must select "Specify partitions manually (advanced)".

In the next step click on /dev/sda1 and then on "Change" and select it to be an ext4 partition that mounts to /. Do not change the partition size!

Now do the same for /dev/sda5, so set it to ext4 but this time mount /boot. I have ended up with the following configuration:

When clicking on "Forward" it might tell you that some file systems are not marked for formatting but the files on it will nevertheless be deleted. Simply click on continue and proceed with the installation.

Once the installation has finished you can restart your computer to ensure everything is properly installed.

Downgrading to GRUB

At the time of writing this guide GRUB 2 is unable to chainload the truecrypt bootloader (at least to my knowledge and without annoying workarounds). For this reason we will downgrade to GRUB (grub legacy) which will be able to handle everything perfectly and offers the same functionality.

Start the Backtrack system you have just installed and open a terminal. To remove GRUB 2 execute "apt-get purge grub-pc". If it asks to remove all GRUB 2 files from /boot/grub select yes. Then execute "rm /boot/grub/core.img" to get rid of the remaining GRUB 2 files. Your computer won't be bootable until we install the old version of grub.

Install grub by executing "apt-get install grub". Configure grub to load during boot by executing "grub-install /dev/sda". Finally configure the grub boot menu by executing "update-grub". It should say "could not find /boot/grub/menu.lst ...". Enter yes to create the menu. Reboot the system to verify it boots properly.

Note: The grub menu will now display "Ubuntu 10.04.2 LTS" instead of Backtrack 5. At the end of this guide we will clean up this menu entry.

Encrypting Backtrack

Encrypted Partition

From your backtrack installation open a terminal. To be sure we have all the packages we need execute the command "apt-get install cryptsetup hashalot initramfs-tools". For Backtrack 5 only hashalot will be installed, as cryptsetup and initramfs-tools are already included in the default installation.

We have to create an initial ramdisk (initrd/initram) that contains all the necessary tools to boot a basic linux environment that will ask for your password and is able to decrypt the encrypted Backtrack partition during boot. An initial RAM disk is an initial root file system that is mounted prior to when the real root file system is available (which is in our case encrypted). We will create it using initramfs-tools.

To specify that the partition needs to be decrypted during boot execute the following single command:

This will create the file /etc/initramfs-tools/conf.d/cryptroot with the given line as its content. Execute "update-initramfs -u" to apply these changes. Now run the following commands to create an encrypted partition:

modprobe dm_crypt

modprobe sha256_generic

luksformat -t etx4 /dev/sda7

For the last command be sure to type an uppercase YES. Otherwise it will give the cryptic error message "Cloud not create LUKS device /dev/sda7 at /usr/sbin/luksformat line 63, <MOUNTS> line 15". If you get the error message "Device luksformat1 is busy" after the format has completed, execute "cryptsetup luksClose /dev/mapper/luksformat1". We now mount the newly created encrypted partition and copy our Backtrack installation to to. For this execute the following commands:

cryptsetup luksOpen /dev/sda7 cryptoroot

mkdir /mnt/target

mount /dev/mapper/cryptoroot /mnt/target

cp -avx / /mnt/target

Copying can take a while. Once completed open /mnt/target/etc/fstab and find the section that refers to the partition where the unencrypted Backtrack system was installed. It can be recognized by the line above it which contains "# / was on /dev/sdaX during installation". The line under it will look something like this:

We need to change the UUID of it to the UUID of the encrypted partition. To get the UUID execute "blkid | grep /dev/mapper/cryptoroot". Once you know the UUID update the line with the new UUID.

Testing with GRUB

Before we continue we will add a temporarily entry to GRUB to verify we can boot the encrypted Backtrack system. To do this edit /boot/grub/menu.lst and under the line "### END DEBIAN AUTOMAGIC KERNELS LIST" add the following lines:

Here (hd0,4) stands for the boot partition. You can get the correct kernel version by looking at the lines between the DEBIAN AUTOMAGIC KERNELS entries. Replace <uuid> with the UUID of the encrypted partitions, which can be found by executing "blkid | grep /dev/mapper/cryptoroot".

Reboot the system and press ESC to enter the GRUB menu during boot. Select cryptotest from the menu. If something goes wrong restart and choose Ubuntu in the grub menu and try to figure out what when wrong. If you followed this guide everything should work.

Encrypted Swap

This step is best performed from the Cryptotest environment we just added to the grub boot menu. You can also perform it from the unencrypted Backtrack installation but then you must be sure to mount the encrypted partition and modify the correct files. This guide will assume you are running the Cryptotest option (i.e., the encrypted Backtrack system). The following procedure will make sure that the swap will also be encrypted. This is important because sensitive data can be written to the swap when using your computer.

We will first disable swap and destroy the filesystem on the swap partition. For this execute the following two commands:

swapoff -v /dev/sda6

dd if=/dev/urandom of=/dev/sda6 count=100

Open /etc/crypttab and append the following line to the file:

cryptoswap /dev/sda6 /dev/urandom swap

Now open /etc/fstab and replace the line under "swap was on /dev/sda6 during installation" with:

/dev/mapper/cryptoswap none swap sw 0 0

To test if everything is set up properly execute the following commands:

invoke-rc.d cryptdisks restart

swapon /dev/mapper/cryptoswap

Now the command "swapon -s" will show you the loaded swap partitions. It should contain the cryptoswap entry if everything is configured properly.

Final GRUB Config

Time to configure a proper GRUB menu. Open /boot/grub/menu.lst and remove the "Cryptotest" lines that you added earlier. Search for the line containing "# kopt=root=UUID=<uuid> ro" and replace the UUID with the UUID of /dev/mapper/cryptoroot. Remember that you can get this UUID by executing "blkid | grep /dev/mapper/cryptoroot". Once this is done execute the command "update-grub".

In my case the default splash screen prevented you from correctly entering the password during boot. For this reason we will remove the splash screen during boot. Open /boot/grub/menu.lst and remove the "quiet splash" from the first line in the entry for "Ubuntu 10.04 LTS, kernel 2.6.38". If you want to you can change the title to display Backtrack 5 instead of Ubuntu. As suggested by a commenter, you must also to change "defoptions=quiet splash" to "defoptions=". This will make sure running update-grub will not readd the "quiet splash" argument in the future. Optionally, if you want the grub boot menu to be displayed by default during boot, you can comment out "hiddenmenu" by changing it to "# hiddenmenu".

Note: To finish the complete setup of Backtrack execute "apt-get update" and "apt-get upgrade" in order to update all the packages.

Installing Windows

Before we can install Windows we must create a NTFS partition where it can be installed. To do this boot your Backtrack installation (or do this from a live CD) and install gparted by exeucting "apt-get install gparted" and run it by executing "gparated".

Right click on /dev/sda1 which was the partition where you installed the unencrypted Backtrack installation. Select Format to -> NTFS. Then go to Edit -> Apply All operations to save changes to disk. If for some reason these steps didn't work for the first time and /dev/sda1 still showed up with a file system other than NTFS, simply format /dev/sda1 a second time and it should work.

You can now enter the Windows installation CD and reboot. Continue the windows installer as normal until you get to "Which type of installation do you want?". Here select "Custom (advanced)". In the next screen select "Disk 0 Partition 1 and click" on next.

Start Truecrypt, click on System ->Encrypt System Partition/Drive. Choose normal, Encrypt the Windows system partition, Single boot, select your preferred encryption options (the defaults should be good), and continue with the installer while providing the information it needs. Be sure to create the rescue CD as this is very important in case the truecrypt bootloader gets damaged. If it asks you to restart the system do so. During boot you should see the Truecrypt boot loader (we will soon restore the GRUB boot loader). It will ask you for the password, enter it and continue booting.

When Windows is started it should ask to encrypt the Windows partition. Click on Encrypt. This can take a while depending on the size and speed of your hard disk. Go get a beer, watch a movie, and take a break.

Once it's done you can verify everything still works by rebooting Windows.

Restoring GRUB

Boot from the Backtrack live CD. We will first copy the truecrypt bootloader as a file to the linux boot partition. To do this open a terminal and do:

Mount the boot partition be executing "mount /dev/sda5 /mnt"

Copy the truecrypt boot loader by executing the following two command

dd if=/dev/sda of=/mnt/truecrypt.mbr count=1 bs=512

dd if=/dev/sda of=/mnt/truecrypt.backup count=8 bs=32256

We will now restore the grub boot menu by executing the commands:

apt-get install grub

grub

Execute "find /grub/stage1". This should output the line "(hdX,Y)" where X and Y are numbers depending on how you set up your partitions. These numbers will be used in the next commands. In my case the output is "(hd0,4)".

root (hdX,Y)

setup (hdX)

quit

Now let's add the truecrypt boot loader as an option to the grub loader. Open /mnt/grub/menu.lst in your favourite editor. Under the line "### END DEBIAN AUTOMAGIC KERNELS LIST" add the following lines:

35 comments:

just some minor changes i recommend:before booting to the "cryptotest" environment for the first time one should run "update-initramfs -u"

the menu.lst boot entries need to start with a lowercase "title"

when updating menu.lst in "Final GRUB Config" and setting kopt=root=UUID you might want to clear "defoptions=quiet splash" too, changing it to "defoptions=" this way the default entry (in this case bt) will be setup properly by running update-grub (otherwise it would get changed again every time you run update-grub)

one might also want to comment out "hiddenmenu", changing it to "#hiddenmenu" so the boot menu will be displayed every time

And it might be a good idea to make grub show the grub menu at the first "Cryptotest" by commenting the 'hiddenmenu' because on my laptop grub didn't want to show reactions for the ESC key form some reason.

One more problem I encountered:After having installed Windows encrypted it etc (followed guide till end), when I tried to start Backtrack it would not boot cause inside the menu.lst there was the wrong uuid for the Backtrack entry.

Before installing Windows it worked though, so one might have to redo the uuid adjustment (setting it to the encrypted partition again like told and done earlier in the guide) after re-installing grub after the Windows installation

the i replaced with the one given by "blkid | grep /dev/mapper/cryptoroot" ... but i noticed, that this uuid is different as when i run gparted and i check-out informations about /dev/sda6 ... so i have try with both uuid, but everytime i get :Error 17: Cannot mount selected partitionPress any key to continue ...

Are you using a custom partition scheme? Make sure "root (hd0,5) is correct". Also use the UUID returned by blkid corresponding to cryptoroot. It's been a while since I wrote this though, so I can't easily give detailed information. Did you follow the guide as explained or made some own modifications along the way?

hi, and thx. yes i did everything as described here, exept the partitioning ... i have my own scheme, but i double-checked that the root device and its uuid corresponds with my case ...I think the problem is that in the bootloader makes no attempt/call to decrypt the partition ... it does not ask for passphrase before trying to mount ...anyway, does not matter ... i am trying an other tuto ... and seems it works fine for me now.Thanks for your answer anyway

Hi,Thanks for this great tutorial. I'm following your guide exactly as is.I'm having an issue which I can't debug. When I try to boot with Cryptotest, it asks for my luks password and things seem to be going well, but then I get the following alert:Alert! /dev/disk/by-uuid/ does not exist. Dropping to a shell!

Ok, now I've triple checked the UUID and it is correct, so I don't understand why initram is complaining and not mounting the encrypted BT partition at sda7 (my setup is exactly like yours).

I've googled around before bothering you and it seems that this error is somewhat common with lucid. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/594523

Unfortunately no one seems to really know why this happens so there doesn't seem to me to be a simple fix. You can see here (http://ubuntuforums.org/showthread.php?t=1492816) and here (http://www.geekzone.co.nz/forums.asp?forumid=46&topicid=81382).

I'm replying to myself so that others can learn from my stupid mistake and not spend a whole day pulling their hair out.Obviously I made a silly mistake when setting up the cryptotest.When reading "kernel /vmlinuz-2.6.38 root=UUID= ro" I obviously wasn't paying attention because I put in my UUID but forgot to replace the < and >. These should not be present. That was my mistake. After I corrected that all went well.

I followed your instructions to the letter and I never ran into any problems until the very end. When I attempt to boot into Windows 7 it says "Error 15: File not found" I'm sure i've made a stupid typo somewhere and i'm still investigating.

just wanted to let you (and everyone else too) know, that if you update you system using this guide (http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/) you end up not being able to boot into the new kernel (after step 1). you need to boot into the old kernel again, log in and execute "update-grub". then you can boot into the new kernel and continue upgrading.

Hey, thank you Mathy for this great guide!Everything worked fine, after encrypting Backtrack5R2 it booted fine. After installing win7 and finalizing grub, I get:

"No init found. Try passing init= bootarg."

after Luks authentication. I can still boot in to encrypted win7.I "trippel" checked all my inputs but after 5 hours of testing I don't know what went wrong. I used the exact same partitioning as you did.

When mounting the encrypted BT5R2 partition (sda7) the links: "initrd.img" and "vmlinux" appear as broken.?

Sorry for my noobish Question, I tried to read all google gave me but I am kind of lost.

thx michael, I decided to take the time and redo all from beginning. But: same result. Another lost night, well I am learning. I power on, see the grub menue where I can choose BT5 or win7. Win7 gets me to the truecrypt loader and than boots fine. When entering to BT5 it asks for my Luks password as it should, after unlocking it trys to boot but stops with Error:"No init found. Try passing init= bootarg".

Image: http://imageshack.us/photo/my-images/140/imag0248o.jpg/I provided you with full menu.lst and boot.log information on http://pastebin.com/rT70WKjY

I carefully followed the guide. But... I really want this setup to work. I have absolutly no idea what is wrong. I tried fsck dev/sda5 and also updated grub, from the liveUSBsystem. Your help is highly appreciated!

I have an aesthetic question.It relates to the last commands to save the mbr into a file.I've changed the appearance of the Truecrypt Bootloader after I have copied the file. (Userdefined password prompt)So i've restored the original Truecrypt Bootloader with the Truecrypt rescue disk.After this i've modified the bootloader with truecrypt again. Now I've booted my liveusb and deleted the Truecrypt.bmr and the truecrypt.backup and after this i've tried to copy the modified bootloader back into the truecrypt.* files with the same commands.But now every time i try to boot the new mbr file from grub it loads the old ones witch i thought that i've already deleted and replaced.

Where is my flaw?(sorry for the simple language and grammar mistakes...)

whatever is in /boot/truecrypt.mbr gets chainloaded by grub. to change it boot into windows adjust your settings in the truecrypt program, boot a live cd and redo the steps from "Restoring GRUB" in this tutorial.

since i never did this, it is just theory. dont mess up your system :-)-michael

Hi,I'm using bt5 r2 kde in virtual box inside my win7. But every time i start the virtual box i have to use it like live cd not as os. I already installed it in virtual box. Do i have any cure for this problem. Plz help me out.thanks.

Having a weird issue. Ive found similar issues but nothing exact.. I have it set up on a USB hdd and it works great in VM, but when i hook it into a computer with an existing hdd i get grub menu and choose the backtrack option and it fails after not being able to mount /dev/sda7. This is due to the fact that the external drive on this pc is sdb not sda. But i have double checked menu.lst and fstab to only use UUID rather than path. But i cant seem to find where it is getting sda7 hardcoded. Have also re-run update-grub several times.

hey i wanted to say this guide is very useful even though its 2012 i use it and i was gone mention that now you don't have to do the grub downgrade. I am dual booting Windows 8 Pro and Backtrack 5r3 both 64bit. I had Windows 8 Pro already installed and so it filled the /dev/sda1 and /dev/sda2 spot. I did follow your linux partition advice and did that. However if you have windows installed already you don't need to create a new partition table or else it will delete all your partitions and windows and here was my partition setup

next i didnt need to downgrade grub i continued using the regular grub so i skipped that part and followed everything else sides i found the cryptotest entry you wanted to test i couldnt get it to work but my partition is encrypted since it wont allow access until i enter the password

last at the final grub config since im using the regular grub instead of downgrading it u edit it under /boot/grub/grub.cfg

and if you keep grub 2 and you encrypt the partition after you boot and you get to the BackTrack 5 screen an it sits there hit the delete button to see the access to enter your encryption password

This guide is gold. Every single step worked to the T. I'm running windows 8 pro 64 with bt5r3.. a virtually duplicate setup to the guide on a 160gb hdd. Everything is well explained, not a single problem encountered/no workarounds needed. This is right on the money.